MS Word Zero-Day Exploit Found

[genXer]

From Slashdot

MS Word Zero-Day Exploit Found

Posted by Zonk on Friday May 19, @02:37PM
from the don't-do-any-work-today dept.
subbers writes "A zero-day flaw in Microsoft Word program is being used in an active exploit by sophisticated hackers in China and Taiwan, according to warnings from anti-virus researchers. The exploit arrives as an ordinary Microsoft Word document attachment to an e-mail and drops a backdoor with rootkit features when the document is opened and the previously unknown vulnerability is triggered. From the article: 'The e-mail was written to look like an internal e-mail, including signature. It was addressed by name to the intended victim and not detected by the anti-virus software.'"

Slashdot Link: http://it.slashdot.org/it/06/05/19/1718203.shtml

Also in ISC:

ISC Link: http://isc.sans.org/diary.php?storyid=1346

Annnd from FSecure (from the ISC text):

Summary

Ginwui is a fully-featured backdoor with rootkit features. This backdoor was distributed inside a document file with a shell-code that dropped the backdoor's file to a hard drive and activated it.

Detailed Description

The shell-code in the Word document decrypts and drops the backdoor's file as CSRSE.EXE to the temporary folder and activates it.

After being run the dropped file in its turn extracts and drops another file to a system. This file is dropped as WINGUIS.DLL to Windows System folder and its DoHook function is activated by the dropper. The dropper then deletes itself from a system.

The dropped DLL file is the main backdoor component. It traps several functions and modifies information that is passed to a user. As a result the backdoor's file, startup key in the Registry and process are not visible to a user.

The backdoor creates a startup key for its file in the Registry:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs" = "%WinSysDir%\winguis.dll"

where %WinSysDir% represents Windows System folder which by default has the C:\Windows\System32\ name.

Being active the backdoor connects to specified address in order to receive commands from a hacker. The backdoor allows a hacker to do any of the following on an infected computer:

-> create, read, write, delete and search for files and directories
-> access and modify the Registry
-> manipulate services
-> tart and kill processes
-> take screenshots
-> enumerate open windows
-> create its own application window
-> get information about infected computer
-> lock, restart or shutdown Windows
-> create a pipe and read files from it

start a remote command shell
enumerate network resources

The backdoor also creates 3 empty SYS files in the \drivers\ subfolder of Windows System folder.

...
..
.

Write-up: Alexey Podrezov, May 19, 2006

Technical Details: Alexey Podrezov, May 19, 2006

FSecure Link: http://www.f-secure.com/v-descs/ginwui_a.shtml

I'm sure there will be more to follow on this...

[SicWitIt]

Good!

[thehorse13]

*sigh*

Another new user who can't read the FAQ.

[nihil]

Hmmmm,

I wonder if anti-malware applications that protect the Registry would thwart this one?

Something like RegistryProt:

http://www.diamondcs.com.au/index.php?page=products

There are a variety of other freebies on this site if you fancy a browse.

[Relyt]

The exploit arrives as an ordinary Microsoft Word document attachment to an e-mail...

Seems I haven't heard much about Word Exploits in awhile so I'd bet many will fall for this even if it's the same ole toon - attachments.

As suggested a little change control might be in order. Wonder if Scotty would work as RegistryPort might?

cheers

[nihil]

Hi Relyt

Yes he will, I run both at the same time (have done for years ) and it is interesting as to which one warns you first.

I realise that I am probably in a minority, but I have believed in the Registry protection approach ever since I figured out that most crap tries to alter the Registry.

OK, it isn't any good for your granny or Joe Soap, as they wouldn't understand the question, but I have deployed Scotty on a lot of people's boxes and it seems to work. I just explain that if they update software or install something new they will get warnings. If they are just using the computer as normal then there shouldn't be any.

I also like the "sandbox" concept (hey that goes back to Berkley and the beginnings of Unix, if not before?) for e-mail and IM.



EDIT: Sorry "Scotty" is WinPatrol: http://www.winpatrol.com

[YoungNobody]

Originally posted here by nihil
Hmmmm,

I wonder if anti-malware applications that protect the Registry would thwart this one?

Something like RegistryProt:

http://www.diamondcs.com.au/index.php?page=products

There are a variety of other freebies on this site if you fancy a browse.

Another nice one which you may not of heard of which acts as an intrusion prevent system for windows and which is also free is: Prevx

[SicWitIt]

Due to the overwhelmingly popular response to my "Good!" comment, I have decided to release an actual post. Also, **** you for not just ignoring it like a mature person (on that note, **** me for not ignoring you like a mature person). Practice good security, communicate with the sender via a trusted channel to confirm that they sent you the email and the attachment.

[preacherman481]

Also, **** you for not just ignoring it like a mature person (on that note, **** me for not ignoring you like a mature person).

Hi SicWitt,
I hope this will be helpful advice. In the future, if you don't like a particular software program or vendor, please give reasons for your opinion in a logical, well thought out manner. Usually, one word posts add little to a discussion and are highly susceptible to being misinterpreted. I hope your future association with AO will be productive and fruitful. I look forward to learning from your posts.

I think you are an idiot Phalse. Keep track of your ****. Do you have a "phone home" on TV and in all your books, pencils, and clothing? Hell no. If you responded to this question with a technical answer... wow.

Hmm, a little more expansive, but not quiet what I was thinking of. I'm afraid if you keep this up your time on site will be short.

[SicWitIt]

Hi SicWitt,
I hope this will be helpful advice. In the future, if you don't like a particular software program or vendor, please give reasons for your opinion in a logical, well thought out manner. Usually, one word posts add little to a discussion and are highly susceptible to being misinterpreted. I hope your future association with AO will be productive and fruitful. I look forward to learning from your posts.

... Self righeous *****.